False positives and false negatives - AC_AWS_0215 / AWS.S3Bucket.DS.High.1043

[jrobison-sb]

• terrascan version:

$ terrascan version
version: v1.13.0

• Operating System:
  OSX

Description

From what I can tell this rule is meant to alert when a bucket policy grants public access to a bucket. And it seems to be producing false positives and false negatives.

What I Did

resource "aws_s3_bucket" "private" {
  # This bucket has a private ACL and has no bucket policy at all, so this is
  # definitely a private bucket.
  bucket = "private"
  acl    = "private"
}

resource "aws_s3_bucket" "public" {
  bucket = "public"
}

data "aws_iam_policy_document" "public" {
  # This is the example use case for Granting read-only permission to an anonymous user
  # https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-2
  statement {
    effect    = "Allow"
    actions   = ["s3:GetObject", "s3:GetObjectVersion"]
    resources = ["${aws_s3_bucket.public.arn}/*"]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
  }
}

resource "aws_s3_bucket_policy" "public" {
  bucket = aws_s3_bucket.public.id
  policy = data.aws_iam_policy_document.public.json
}

It will detect public access, but in the wrong bucket. Here it calls out the private bucket as being the one to blame. This represents the false positive.

$ terrascan scan -i terraform  -f bucket.tf -o json  -t aws --scan-rules=AC_AWS_0215
{
  "results": {
    "violations": [
      {
        "rule_name": "s3EnforceUserACL",
        "description": "S3 bucket Access is allowed to all AWS Account Users.",
        "rule_id": "AC_AWS_0215",
        "severity": "HIGH",
        "category": "Identity and Access Management",
        "resource_name": "private",
        "resource_type": "aws_s3_bucket",
        "module_name": "root",
        "file": "bucket.tf",
        "line": 1
      }
    ],
    "skipped_violations": null,
    "scan_summary": {
      "file/folder": "/Users/me/devops/bucket.tf",
      "iac_type": "terraform",
      "scanned_at": "2022-02-04 00:02:35.106829 +0000 UTC",
      "policies_validated": 1,
      "violated_policies": 1,
      "low": 0,
      "medium": 0,
      "high": 1
    }
  }
}

And if I then delete the private bucket resource and leave the public bucket resources, I'll get a false negative:

resource "aws_s3_bucket" "public" {
  bucket = "public"
}

data "aws_iam_policy_document" "public" {
  # This is the example use case for Granting read-only permission to an anonymous user
  # https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-2
  statement {
    effect    = "Allow"
    actions   = ["s3:GetObject", "s3:GetObjectVersion"]
    resources = ["${aws_s3_bucket.public.arn}/*"]
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
  }
}

resource "aws_s3_bucket_policy" "public" {
  bucket = aws_s3_bucket.public.id
  policy = data.aws_iam_policy_document.public.json
}

$ terrascan scan -i terraform  -f bucket.tf -o json  -t aws --scan-rules=AC_AWS_0215
{
  "results": {
    "violations": null,
    "skipped_violations": null,
    "scan_summary": {
      "file/folder": "/Users/me/devops/bucket.tf",
      "iac_type": "terraform",
      "scanned_at": "2022-02-04 00:04:40.790574 +0000 UTC",
      "policies_validated": 1,
      "violated_policies": 0,
      "low": 0,
      "medium": 0,
      "high": 0
    }
  }
}